Description

python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims (e.g., is_admin=true) and bypass authentication checks, leading to privilege escalation or unauthorized access in applications that rely on python-jose for token validation. This issue is exploitable unless developers explicitly reject 'alg=none' tokens, which is not enforced by the library. NOTE: all parties agree that the issue is not relevant because it only occurs in a "verify_signature": False situation.

INFO

Published Date :

2025-10-10T00:00:00.000Z

Last Modified :

2025-11-25T17:09:56.140Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61152 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61152.

URL Resource
https://github.com/javiermorales36/PoC-for-python-jose-alg-none-JWT-bypass-vulnerability/blob/main/CVE-2025-61152_Security_Advisory.md cve-icon cve-icon
https://github.com/mpdavis/python-jose/issues/391 cve-icon cve-icon
https://pypi.org/project/python-jose cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact